When the left-pad debacle happened, I feared that people would conclude “dependencies are bad”. (Instead of the logical conclusion, which is “don’t allow dependencies to be deleted from package registries.”) That prediction turned out to be true. :(
-
-
Replying to @pcwalton
I still hate the high dependency count. It’s a nightmare. In rust as well as in javascript. I think dependency groups would help (grouped by org)
5 replies 0 retweets 21 likes -
-
Replying to @pcwalton
How do you vet and security check them all? Any process one can put in place scales badly with the number of dependencies.
2 replies 0 retweets 9 likes -
Replying to @mitsuhiko
How do you vet and security check all the OS libraries you depend on? I think people like to complain about Cargo, NPM, etc. because they make the complexity of software very visible, when the real issue is just that software is complex.
7 replies 9 retweets 38 likes -
Replying to @pcwalton @mitsuhiko
I am *way* more worried about the Windows kernel from a security perspective than I am about left-pad.
1 reply 1 retweet 9 likes -
This Tweet is unavailable.
Their security practices are better, but that’s dwarfed by *sheer volume* of code. Including all of win32k.
-
-
This Tweet is unavailable.
-
Replying to @_moonstorms @sunshowers6 and
Is that the thing to care about? ISTM a breach affecting a million users deserves more attention than a breach affecting ten users.
0 replies 0 retweets 0 likes
End of conversation
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.